Elf/BakSo.SX!tr

description-logoAnalysis

ELF/BakSo.SX!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as ELF/BakSo.SX!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is related to the PSIRT Advisory - FG-IR-22-398. It involves a heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN that may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

  • The malware has been associated with the following advisory.
  • https://www.fortiguard.com/psirt/FG-IR-22-398
    

  • Following are some of the exact file hashes associated with this detection:
    • Md5: 856341349dd954d82b112ba9165c4563
      Sha256: 23f2536aec6a4977a504312ff5863468ba2900fece735acd775d0ae455b4cd4d
    • Md5: 3191cb2e06e9a30792309813793f78b6
      Sha256: 0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb
    • Md5: bdc2d2f5d5246f8956711bcce9f456b6
      Sha256: 30b2fa0eabc0b1772e8b6deac9a9d4cea58109e865bd0231aea759dc0cf3f35a
    • Md5: ae0839351721db5a9c269fd75dcb57ce
      Sha256: f331d382a8afb10cfb95354541ac6502cf020df7cb3c1be6ec787c8868b69818
    • Md5: e5d989b651b3eb351e10e408d5a062b3
      Sha256: 2c56db88ce96fec0bdbac9184bae5336cb45e071b74a646505c3a80acdc1dcc5

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-04-17 91.02456
2023-04-03 91.02022
2023-02-27 91.00983
2023-02-21 91.00794
2023-02-16 91.00640
2023-02-14 91.00573
2023-02-07 91.00363
2023-01-24 90.09944
2023-01-10 90.09525
2023-01-10 90.09523